14603 matches found
Enfold Theme < 4.8.4 - Reflected Cross-Site Scripting (XSS)
The Enfold theme was vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder. PoC The issue appears when pagination comes in place while navigating on a WordPress site with Enfold theme active. When that...
Duplicate Page < 4.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. The attempt to fix the issue in 4.4.2 is insufficient and...
Calendar_plugin <= 1.0 - Reflected Cross-Site Scripting
The Calendarplugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $SERVER'PHPSELF' in the /calendar.php file which allows attackers to inject arbitrary web scripts...
Clean Login 1.12.6.3 - Reflected Cross-Site Scripting
The plugin does not escape the url parameter in its login form page, leading to a Reflected Cross-Site Scripting issue PoC Append the following payload on a page where the clean-login shortcode is embed: ?url=" Example: https://example.com/clean-login/?url="...
Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection
The plugin did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages. PoC http://www.example.com/wp-admin/admin.php?page=pms-members-page=userid=asc,select from selectsleep10a...
uListing < 2.0.6 - Settings Update via CSRF
A Settings Update via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens https://codex.wordpress.org/WordPressNonces . PoC PoC 1 | CSRF | Main Settings Update: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: admin cookies User-Agent: Mozilla/5.0...
WP Upload Restriction < 2.2.5 - Missing Access Control in deleteCustomType
Missing access control in deleteCustomType function allows authenticated users, such as subscribers, to delete custom extensions...
Popup box < 2.3.4 - Authenticated Blind SQL Injections
The getayspopupboxes and getpopupcategories functions of the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard PoC Exploit All of them with same technique...
Yada Wiki < 3.4.1 - Contributor+ Stored XSS
The plugin did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue PoC - Create a wiki page. If there is already a page, you can skip. The page can be a draft. - Add this shortcode to a post/page, view it and move the mouse over...
Glass <= 1.3.2 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. PoC Add the...
Jannah < 5.4.5 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action, leading to a Reflected Cross-site Scripting XSS vulnerability. PoC POST /demo/wp-admin/admin-ajax.php HTTP/1.1 Host: jannah.tielabs.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:89.0...
WordPress Popular Posts < 5.3.3 - Authenticated Code Injection
Jerome Bruandet from NinTechNet discovered a code injection issue in the plugin before 5.3.3: "When thumbnails settings are set to 'Custom field name' and 'Resize image from Custom field' they aren’t by default, a user with contributor role or above can bypass the file type verification, download...
WP Google Maps < 8.1.12 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue Note: The vendor attributed the issue in the changelog to the wrong reporter us, WPScan, as we reported it on behalf of th...
Car Repair Services < 4.0 - Unauthenticated Reflected XSS & XFS
The theme did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue PoC https://smartdata.tonytemplates.com/car-repair-service-v4/car1/estimateresult/result?s==...
Listeo < 1.6.11 - Multiple XSS & XFS vulnerabilities
The theme did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues - Unauthenticated Reflected XSS | Search query, vulnerable parameters: keywordsearch and locationsearch - Authenticated Persistent XSS & XFS |...
WPGraphQL < 1.3.6 - Denial of Service
The plugin suffers from a Denial of Service vulnerability by Field Duplication. It is possible to create an expensive query by duplicating the number of fields, while simultaneously sending these requests in batches using GraphQL's Batching capability. v1.3.6 added a setting to disable batch...
Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting (XSS)
The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/options-general.php?page=moove-redirect-settings=" onMouseOver="alert1;...
Popup by Supsystic < 1.10.5 - Reflected Cross-Site scripting (XSS)
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue PoC /wp-admin/admin.php?page=popup-wp-supsystic="onmouseover=alert1//...
Classyfrieds <= 3.8 - Authenticated Arbitrary File Upload to RCE
The plugin does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE. PoC POST /addalisting/ HTTP/1....
Patreon WordPress < 1.7.0 - CSRF to Disconnect Sites From Patreon
The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the plugin, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link...
Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
The runaction function of the plugin deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution. PoC Step 1: Use the nonce...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Icon Box Widget
In the plugin, the icon box widget includes/widgets/icon-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript in...
Photo Gallery by 10web < 1.5.69 - Reflected Cross-Site Scripting (XSS)
The plugin did not properly sanitise the bwgsearchX GET parameter, available in a frontend gallery when the Show Search Box setting is enabled disabled by default, leading to a reflected Cross-Site Scripting issue PoC Append the below payload in a page with an embedded gallery and the Show Search...
Easy Registration Forms <= 2.0.6 - CSV Injection
Easy Registration Forms ER Forms Wordpress Plugin 2.0.6 allows an attacker to submit an entry with malicious CSV commands. After that, when the system administrator generates CSV output from the forms information, there is no check on this inputs and the codes are executable...
Post Grid < 2.0.73 & Team Showcase < 1.22.16 - PHP Object Injection
Ram Gall from Wordfence discovered an authenticated subscriber+ PHP Object Injection vulnerability in the Post Grid and Team Showcase WordPress plugins...
WP Customer Reviews < 3.4.3 - Multiple Unauthenticated and Low Priv Authenticated Stored XSS
Multiple stored cross-site scripting vulnerabilities in WP Customer Reviews 3.4.2 and lower allow remote attackers to inject arbitrary JavaScript code or HTML. PoC If WP Customer Reviews is enabled on a page, an unauthenticated attacker can exploit XSS via review form's parameters: - Reviewer Nam...
Advanced Access Manager < 6.6.2 - Authenticated Information Disclosure
The plugin’s aam/v1/authenticate and aam/v2/authenticate REST endpoints were set to respond to a successful login with a json-encoded copy of all metadata about the user, potentially exposing users’ information to an attacker or low-privileged user. This included items like the user’s hashed...
Coming Soon Page, Under Construction & Maintenance Mode by SeedProd < 5.1.2 - Authenticated Stored Cross Site Scripting (XSS)
Authenticated stored cross-site scripting issues in some of the plugin settings, requiring high privileges. PoC Affected fields are in the settings of the plugin and will be triggered when the common soon page is displayed either the preview or normal one: Logo: x' onerror='alert/XSS/ Headlines:...
bbPress < 2.6.5 - Authenticated Stored Cross-Site Scripting via the forums list table
binit discovered a stored XSS issue via the forums list table. The payload is put and can only be triggered by accounts with the Keymaster bbPress role...
Advanced Order Export For WooCommerce < 3.1.4 - Authenticated Cross-Site Scripting (XSS)
The Advanced Order Export plugin for WooCommerce versions 3.1.4 had a reflected XSS vulnerability due to lack of input sanitization on the woeposttype parameter. This allowed arbitrary HTML and JavaScript injection and execution in the context of the logged in user. PoC On a WooCommerce...
Cookiebot < 3.6.1 - Authenticated Reflected Cross-Site Scripting (XSS)
Versions prior to 3.6.1 are susceptible to this attack, which allows hackers to exploit the vulnerability found on administrative pages...
Newsletter < 6.5.4 - CSV Injection
A CSV Injection vulnerability was discovered in Wordpress Newsletter plugin. It allows a user with low level privileges or no privileges to inject a command in subscription form that will be included in the exported CSV file, leading to possible code execution...
Modern Events Calendar Lite < 5.1.7 - Multiple Subscriber+ Stored XSS
Modern Events Calendar Lite registers a number of AJAX actions for logged-in users. Some of these actions allow low-privileged users like subscribers to manipulate settings and other stored data. When exploited in this way, the affected data can be injected with various XSS payloads...
WP Intercom Slack <= 1.2.2 - Slack Access Token Disclosure
The Intercom plugin through 1.2.2 leaks a Slack Access Token in source code. An attacker can obtain a lot of information about the victim's Slack channels, members, etc...
AdRotate Banner Manager <= 5.2 - Authenticated SQL Injection
The vendor states: "Earlier this week I was contacted by a security research firm who has apparently been poking around in the code of AdRotate and they found an issue in AdRotate Free. Upon checking the code following their advisory I found a potential weak point in AdRotate Pro as well. Though...
Ultimate Member < 2.0.52 - CSRF and Stored XSS issues
A CSRF vulnerability in adding/editing user roles in Ultimate Member 2.0.49. It also lead to stored XSS. Edit WPScanTeam: July 9th, 2019 - v2.0.50 released and still affected. Escalated to WP Plugins Team July 9th, 2019 - v2.0.51 released, fixing the CSRF but not the XSS July 11th, 2019 - Escalat...
Import users from CSV with meta <= 1.14.1.3 - CSRF leading to attachment deletion & Path Traversal
CSRF leading to attachment deletion via the acuideleteattachment AJAX function...
Sina Extension For Elementor <= 2.2.0 - LFI
The Sina Extension for Elementor WordPress plugin was affected by a LFI security vulnerability...
ConvertPlus <= 3.4.4 - Multiple Issues
According to the changelog: 3.4.5 - Security: User with none role gets created on form submission by curl request for variants. 3.4.4 - Improved sanitization, escaping and other security improvements...
Slick Popup <= 1.7.1 - Privilege Escalation
Subscriber users are able to create an administrator account with hardcoded login credentials. PoC Hardcoded username "slickpopupteam" and its password is OmakPass13...
FV Flowplayer Video Player <= 7.3.13.727 - Unauthenticated Stored XSS
The vulnerable function is exposed to unauthenticated users over wpajaxnoprivfvwpflowplayeremailsignup ajax hook. It saves anything that user provides in email POST parameter. PoC Send POST request to wp-admin/admin-ajax.php with body content: "[email protected]" The...
WP Database Backup < 5.1.2 - XSS
The WP Database Backup WordPress plugin was affected by a XSS security vulnerability...
article2pdf - Multiple Vulnerabilities
The article2pdf WordPress plugin was affected by a Multiple Vulnerabilities security vulnerability...
Import users from CSV with meta <= 1.14.0.2 - XSS and CSRF
The Import and export users and customers WordPress plugin was affected by a XSS and CSRF security vulnerability...
WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
Description According to WordPress: "Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations."...
Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation
According to the official release: "A privilege escalation vulnerability has been found in Contact Form 7 5.0.3 and older versions. Utilizing this vulnerability, a logged-in user in the Contributor role can potentially edit contact forms, which only Administrator and Editor-role users are allowed...
Ajax BootModal Login <= 1.4.3 - Captcha Reuse
The Ajax BootModal Login WordPress plugin was affected by a Captcha Reuse security vulnerability...
Chained Quiz <= 1.0.8 - Unauthenticated SQL Injection
WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters. Technical details: Chained Quiz appears to be vulnerable to time-based SQL-Injection. The issue lies on the "$answer" backend variable...
Form Maker by WD < 1.12.24 - CSV Injection
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin was affected by a CSV Injection security vulnerability...
WordPress File Upload <= 4.3.3 - Cross-Site Scripting (XSS)
The WordPress File Upload WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...